Address Poisoning Scams: How They Work and How to Stay Safe
If you have spotted an unfamiliar tiny or zero-value transaction in your wallet, or you have already sent crypto to the wrong address, take a breath β you are in the right place. This guide explains address poisoning in plain English: what it is, how to spot it, and what to do next.
How an address poisoning scam works
Wallet addresses are long strings of random characters, so most people never read the whole thing. They glance at the first few and last few characters, and copy the address straight from their transaction history when they want to send funds again. Address poisoning is built to exploit exactly that habit.
Here is the sequence attackers use:
- They watch the blockchain for a wallet that regularly sends funds to a particular address β for example, your own exchange deposit address or a business partner.
- Using automated tools, they generate a lookalike address that shares the same first and last characters as the address you use. The middle is different, but wallet apps usually hide the middle behind an ellipsis (β¦).
- They send you a tiny amount of crypto ("dust") or a zero-value transfer from that lookalike address. This "poisons" your history: the fake address now sits in your recent transactions, looking almost identical to the real one.
- Days or weeks later, you go to send funds. You scroll your history, see an address that starts and ends the way you expect, copy it, and send. The money goes to the attacker instead.
Because blockchain transfers cannot be reversed, the funds are gone the moment the transaction confirms. The whole scam relies on a single copy-paste mistake β no hacking of your wallet is required.
How common is it, and how much do people lose?
This is not a rare or fringe attack. Researchers at Carnegie Mellon University documented roughly 270 million address poisoning attempts targeting about 17 million victim addresses on Ethereum and Binance Smart Chain between July 2022 and June 2024, tied to at least $83.8 million in confirmed losses β making it one of the largest phishing schemes ever documented on public blockchains.
Individual losses can be enormous. In one 2024 campaign analyzed by Chainalysis, attackers deployed 82,031 lookalike addresses, and 2,774 victim addresses sent roughly $69.7 million to them. In December 2025, a single trader lost almost $50 million in USDT after copying a poisoned address whose first five and last four characters matched the real one.
The point is not to frighten you β it is to underline that careful, experienced people fall for this. If it happened to you, it does not mean you were careless or foolish.
Warning signs to watch for
Address poisoning is quiet by design, but there are tells:
- An unexpected tiny transfer (a few cents of a token) or a zero-value transaction showing up in your history from an address you do not recognise.
- A transaction from an address that looks almost but not exactly the same as one you use often β same start and end, different middle.
- Fake token entries in your history (for example, a transfer labelled as USDT that you never made) designed to sit next to your real transactions.
Important reassurance: receiving dust or a zero-value transfer does not give anyone access to your wallet, and it does not put your existing funds at risk on its own. The danger only appears if you later copy and reuse that poisoned address. So if you have received one but not sent anything, you have not lost money β just be careful about where you copy addresses from.
What to do if you have already sent funds to a poisoned address
We will be honest with you, because false hope helps no one: once a blockchain transaction confirms, it is irreversible, and recovering funds sent to a scammer is usually not possible. A handful of very high-profile victims have negotiated returns directly with attackers, but that is rare and not something you can rely on. Please treat any promise of guaranteed recovery with deep suspicion.
That said, there are still worthwhile steps:
- Stop and check the amount. If you have not yet sent the full amount, or you sent a small test first, do not send more until you have verified the address from a trusted source β not your history.
- Report it to the exchange. If the funds passed through, or ended up at, a centralized exchange, contact that exchange's support and fraud team quickly with the transaction hash. In rare cases funds can be frozen before they are cashed out.
- Report to law enforcement. File a report with your local police and, if relevant, national cybercrime bodies such as the FBI's Internet Crime Complaint Center (ic3.gov) in the US or Action Fraud in the UK. A report is often required before any institution will act, and it feeds broader investigations.
- Record everything. Save the transaction hashes, the poisoned address, screenshots, and dates. This is what any legitimate investigator or exchange will ask for.
- Warn people who share your history. If a business partner or family member sends to the same real address, tell them so they do not copy the poisoned one too.
How to protect yourself going forward
The good news is that address poisoning is very preventable once you know the trick. Build these habits:
- Never copy an address from your transaction history. This is the single most important rule. Use a saved contact, an address book or allowlist, or get the address directly from the recipient each time.
- Verify the whole address, not just the ends. Check the full string, character by character, especially the middle that your wallet hides. For large transfers, this five-second check is worth it.
- Use your wallet's address book or whitelist feature. Many wallets let you save trusted addresses and only send to them, which removes the copy-from-history risk entirely.
- Send a small test transaction first for large transfers β but verify the address independently first, because attackers now target the test step too.
- Use a hardware wallet where the full recipient address is displayed on the device's own screen for confirmation.
- Ignore and do not interact with dust. Do not send, swap, or click on unexpected tiny or zero-value tokens that appear in your wallet.
A warning about "recovery" services
After a crypto loss, you may be contacted by β or find adverts for β companies or individuals promising to "recover" your stolen funds. Please be extremely careful here, because these recovery offers are frequently a second scam that targets people who have already been hurt once.
Remember one simple rule: no legitimate party ever charges an upfront fee to get your money back. Real law enforcement, real exchanges, and legitimate lawyers do not ask you to pay a fee, a "tax," or a "deposit" in advance to release recovered crypto. Anyone who does β especially someone who contacted you first, guarantees results, or asks for your wallet's seed phrase or remote access to your device β is trying to scam you again.
Scam First Aid is free and independent. We do not offer recovery services and we do not take a cut of anything. The honest steps in the section above are the legitimate routes available to you.
Frequently asked questions
I received a tiny or zero-value transfer I did not make. Has my wallet been hacked?
No. Anyone can send a transaction to your public address, and receiving dust or a zero-value transfer does not give them access to your wallet or your funds. It is an attempt to plant a lookalike address in your history. As long as you never copy and reuse that address, your money is safe. Do not interact with the dust β just leave it.
Can I get my money back if I sent crypto to a poisoned address?
Usually, no. Blockchain transactions are irreversible, and funds sent to a scammer are typically unrecoverable. A few high-profile victims have negotiated returns directly with attackers, but that is rare. It is still worth reporting the transaction to any exchange involved and to law enforcement quickly β occasionally funds can be frozen before they are cashed out.
Should I pay a company that promises to recover my stolen crypto?
No. No legitimate service charges an upfront fee to recover funds. Recovery-fee offers are one of the most common follow-up scams targeting people who have already lost money. Anyone guaranteeing recovery, asking for a fee in advance, or requesting your seed phrase is trying to scam you a second time.
How do scammers make an address that looks like mine?
They use automated software to generate huge numbers of addresses until one matches the first and last characters of an address you use. Since wallet apps usually hide the middle of an address behind an ellipsis, a lookalike that shares the start and end can look identical at a glance. That is why verifying the full address matters.
What is the safest way to send a repeat payment to the same address?
Do not copy it from your transaction history. Instead, save it once in your wallet's address book or allowlist and reuse that saved contact, or get the address again directly from the recipient. For large amounts, verify the full string character by character and confirm it on a hardware wallet screen if you have one.
Sources
- Carnegie Mellon CyLab β study of ~270M address poisoning attempts, 17M victim addresses, $83.8M+ in confirmed losses (July 2022βJune 2024, Ethereum & BSC)
- USENIX Security 2025 β Tsuchiya et al., "Blockchain Address Poisoning" (peer-reviewed research paper)
- Chainalysis β Anatomy of an Address Poisoning Scam (2024 campaign: 82,031 lookalike addresses, 2,774 victim addresses, ~$69.7M sent to poisoned addresses)
- The Block β Crypto trader loses ~$50M in USDT to address poisoning (December 2025)
- Ledger Academy β What Are Address Poisoning Attacks and How to Avoid Them
β οΈ Beware "recovery" services. Anyone who contacts you promising to get your money back for an upfront fee is almost always a second scam. See the red flags β
Get your personal action plan
Answer 4 quick questions for a tailored checklist + a copy-ready report template. Nothing is saved.
Start the action planRelated: Pig butchering Β· Recovery scams Β· Fake investment platforms Β· Phishing & account takeover Β· Report a scam